Common Data Breach Questions (Part 2)

I am often asked what companies should do when they suffer a data breach. Here are my quick answers to some of the most common questions I get.

If you missed Part 1, check it out here to learn what companies should do immediately following a breach, and how they can create a game plan prior to a breach ever happening.

When should the company start notifying impacted individuals?

Companies should not favor speed over accuracy when disclosing information about a breach to impacted individuals. It is also critical to avoid blind reliance on Cyber Security Incident Response and Forensics firms. Instead, verify the key questions and the associated procedures followed to obtain answers to those questions, and determine whether or not the organization’s management and board feels it is necessary to communicate that it has “left no stone unturned.”

Examples of disclosing information too quickly can be observed in recent breaches including Target, Sony Pictures, and now Anthem. In each case, there was significant concern from peer experts in the information security community as noted below:

Sony PicturesA forensics firm was quick to state that the attack was unprecedented and that Sony could not possibly have been prepared for it. Steve Ragan, of CSO, argues that they “could have done plenty to prepare and defend against an attack such as this.” Experts also challenged the assertion that the attackers were from North Korea, including a number of well known and trusted advisors with the most recent information coming via Jeffrey Carr.

Target

Calling out that target was PCI-DSS compliant did little to account for the oversight of absence of mitigating controls around connected yet “out of scope” environments like the HVAC system, through which attackers accessed Target’s network. Was the forensics investigation quick to rule “out of scope” or “unlikely” scenarios that may have identified more affected parties? Why did Target’s SOC fail to communicate and track to resolution?

Anthem

The determination that no medical record access had taken place was exceptionally fast. With the nature and type of systems in that environment, it is a remarkable statement. I hope that this was fully vetted and accurately communicated and that no stone was left unturned. If this ends up being inaccurate, it will be devastating to go forth and announce to the world that all was clear, but then have discovery take place when impending litigation follows, and have forensics experts review the data and disagree.

To make that assertion, and have it stand, the following would have to be known:

That the known attack on Jan 29 was from the hackers who originally accessed the records

That other records were not exfiltrated and audit trails erased

That the credentials obtained in the attack did not HAVE access through pivots, etc., to the medical record or credit card data stores.

Review of the compromised account and trace backward and forward to know all the systems that may have been accessed and finalize which systems were accessed through network logs, AND host forensics for each affected system.

It’s challenging to show that while someone gained enough access to exfiltrate data from a database, that they did not have access to other hosts from which they could access medical record and credit card data. These challenges are incredibly difficult, and Anthem has the benefit of a large, intelligent information security team. To resolve these challenges requires close integration between the executive responsible for oversight of the incident, general counsel, the CIO, the infosec team, PR, and the Incident Response and Forensics firm. With all of those parties actively racing to an answer, it is difficult to provide the assurance needed to affected parties as well as for maintaining defensible decision paths through the course of the investigation.

Customers want to be able to trust that a company can take care of — not just prevent — a data breach. The reason for mistrust among customers is often times a result of unsure details about a breach, not the breach itself. Customers want answers and they want to know that the company is being forthright and careful about information. A company should disclose breach information with anyone impacted as soon as they are confident they have answers to the key questions, but no sooner.

Who should be in charge of breach notification decisions?

Notification decisions are the responsibility of legal counsel in consultation with the CIO and CPO, with PR heavily involved in packaging, confirmation, verification, and messaging strategy. Tailor the notification letter to the audience, understanding that the audience are actual people. These people are frustrated, and want to know that the brand they trusted — and may trust again — will take care of them.

This is an opportunity to solidify the brand’s promise to their customers by treating them the way you would want to be treated. Speak in simple form: what is known, what is being investigated, and when they can expect to hear from the brand again.